(Part Two of a Three Part Series)
Since Equifax’s September 15th statement about their well-publicized, broadly discussed major security incident, Coalfire has fielded multiple inquiries from clients who are wondering if such an incident could happen to them, and if there is anything that they can do to better protect and prepare themselves.
While every situation is different, one thing is clear: cyber risk management ought to be a top priority for every enterprise, and that priority should be established and enforced through cybersecurity governance.
Cybersecurity governance refers to the management responsibilities and practices that ensure the effective use of cybersecurity protocols and controls an enterprise deploys to achieve its goals. Good cybersecurity governance can therefore help an enterprise protect its information and related assets more efficiently and cost effectively. Inadequate cybersecurity governance only exacerbates inherent security weaknesses that ultimately get exploited by bad actors, and can lead to business impacts such as we have witnessed with the Equifax breach (e.g., billions of dollars in class action suits, heavy stock market losses, leadership casualties). Governance is, therefore, of critical importance, and a worthy subject of our second post in a series of “Lessons Learned” from the incident. (The first blog, written by my colleague Bob Post, can be found here.)
Lesson #2: The Value of Governance in Minimizing Cybersecurity Incidents
It is reasonable to expect executive/senior management to set the tone, expectations, and strategic requirements for cybersecurity management and operations (including relevant compliance obligations where applicable) in an enterprise. Typically, these should be articulated as a formal enterprise cybersecurity policy, which eventually gets translated into an internal hierarchy of cybersecurity standards, processes, and controls that should drive cybersecurity operations in an enterprise. To ensure that provisions in the policy are adequately satisfied, executive/senior management must have a means of obtaining feedback on cybersecurity management and operations. This feedback is typically in the form of metrics that indicate that cybersecurity goals have been met, risks mitigated, or desired outcomes and performance levels achieved.
The aggregate of policy, standards, processes, controls, and metrics constitute key components of a mature governance framework. The framework should be sustainable if it is supported by an appropriate operating model with inherent strategic and tactical roles and responsibilities within an enterprise’s security function. The benefits of good governance are widely demonstrated and published. From a cybersecurity perspective, some of these benefits include:
- Enabling executive leadership visibility into enterprise cybersecurity management and operations
- Facilitating due diligence and performance with enterprise cybersecurity management and operations
- Aiding the realization of desired outcomes from cybersecurity investments and related initiatives
- Proactively determining the key cybersecurity challenges that exist within an enterprise and their net business impacts, so that mitigation efforts can be duly prioritized
- Ultimately reducing cybersecurity risks to an acceptable minimum
If effective cybersecurity governance is to be achieved in an enterprise, then it is incumbent on the cybersecurity leaders within that enterprise to architect, implement, and sustain a related framework that is mature enough to realize desired enterprise cybersecurity management and operational outcomes. Effective cybersecurity governance should therefore be a reasonable expectation for every enterprise, so that undesirable events and outcomes are avoided as best as possible.
In some organizations, unfortunately, some of these governance framework components do not exist or are quite immature. For example, cybersecurity policies are often at a tactical level, are predominantly shelf-ware, and/or have no executive leadership input and insights. The tone and expectations for cybersecurity management and operations are therefore largely assumed, and often left to a few tactical “must-dos” that are based on best efforts, not well thought out, reactive in nature (check the box), and do not sufficiently protect an enterprise’s information assets. In the coming weeks and months, the news media, analysts, regulators, prosecutors, and special interest groups alike will be examining the factors that led to Equifax’s breach. While only some of the underlying issues have been made public, we believe that several governance challenges will ultimately emerge.
Question #1– Did executive/senior management have sufficient visibility into enterprise cybersecurity management and operations?
Equifax reported that unauthorized access to certain files containing personal identifiable information occurred from May 13, 2017 through July 30, 2017 – approximately two and half months. This is a fairly long period of time for any form of continued unauthorized access to sensitive data. The company blamed a vulnerability in Apache Struts for this situation and said they were aware of this vulnerability since March 2017 – a situation that was brought to their attention by US CERT and not determined internally at Equifax.
There are some burning questions – Does Equifax have mature vulnerability management practices and controls? How effective is their security monitoring? Was there sufficient knowledge and understanding of the probability, severity, and impact of such unauthorized access, and hence the level of risk to Equifax? Was the urgency of addressing this vulnerability fully understood? If so, was this material enough to merit executive/senior management visibility (via a risk and impact reporting metric)?
It could be argued that if executive/senior management had prompt knowledge and understanding of the vulnerability and its real business impact, measures beyond waiting on a system patch might have been authorized more rapidly to mitigate (or even eliminate) the underlying business risks. In other words, if executive/senior management had contemplated a business impact of this scale, they might have funded a risk mitigation initiative to limit access to such sensitive information (e.g., strong data encryption) or invested in other initiatives that would have significantly limited their loss exposure.
Equifax reported that its CEO is stepping down, and their Chief Information Officer (CIO) and Chief Security Officer (CSO) are retiring and have named replacements, effective immediately. Could this consequential decision on the part of Equifax be attributed to the lack of governance structures in facilitating prompt cybersecurity risk identification, business impact reporting, and mitigation, or could this be consequential to cybersecurity and IT leadership failure? These questions raise concerns about executive/senior management visibility into their cybersecurity management and operations. There are also governance issues tied to Equifax’s operating model for cybersecurity, maturity of internal standards, processes, and controls, as well as strategic and tactical roles and responsibilities.
One question that was asked in the aftermath of the Equifax breach was – Why were several senior leaders “out of the loop?” Not knowing about an incident of this magnitude of business impacts, when investigations had already begun, raises further questions about the executive/senior management insights into the company’s security practices.
It should be apparent by now that corporate boards everywhere will take swift and decisive actions in the wake of Equifax, demanding that management maintains continuous visibility into their own cybersecurity practices and controls, instituting measures to proactively identify risks, understand their business impacts and take measures to promptly mitigate them if those measures are not already firmly in place.
Question #2 – Is there sufficient due diligence and performance regarding enterprise cybersecurity management and operations?
The Equifax breach resulted in hackers gaining access to files that included names, Social Security numbers, and driver's license numbers of more than half of the U.S. adult population. Credit card numbers of about 209,000 consumers and dispute documents with more in-depth personal identifying information (PII) of another 182,000 people were also obtained. The sensitivity of these types of information is without question. As a result, it should be expected that the standards, processes, and controls required to protect such sensitive data are mature and operating effectively. Considering that two and half months of continued unauthorized access to sensitive data occurred (per Equifax), it can be inferred that Equifax’s cybersecurity standards, processes, and controls are either immature or are not operating effectively. If either case, good cybersecurity governance should have helped raise maturity and/or operating effectiveness gaps and the inherent risk implications.
According to Fortune Magazine, Equifax purchased an identification protection service called ID Watchdog on Aug. 10, 2017, two weeks after Equifax discovered the data breach but a month before disclosing it publicly. Equifax said it acquired the firm last month for $63 million without revealing that its systems had been penetrated, thus drastically enhancing the market for identity protection services. Based on these reports and the timing of the acquisition, it could be argued that there may have been a lack of confidence in Equifax’s cybersecurity program, and per the impact of the breach, something significant had to be done quickly to try to address the situation internally. When an enterprise lacks a governance framework desired to assure the achievement of value, risk mitigation, and desired outcomes, these kinds of rapid reactions and decisions can occur, and sometimes tell more of the story than may have been intended.
There is another lesson regarding due diligence and performance of enterprise cybersecurity management and operations related to privacy. Obviously, sensitive PII has now been inadvertently shared with an unauthorized third party (or parties), not to mention information about credit information disputes. It is not immediately clear what the hackers have done (or will do) with the data obtained. However, the financial and non-financial impacts of privacy breaches are very high and incur the wrath of the public, state Attorney Generals, and business partners that suffer losses related such breaches. Cybersecurity governance helps avoid these challenges by ensuring that risks to information (especially sensitive information) are known and that the severity of associated impacts are understood, so that appropriate practices and controls can be designed and implemented to make it harder for bad actors to gain access. More importantly, governance also helps maintain operating effectiveness of these practices and controls for the long term.
Equifax will now have to deal with all these challenges for some years to come and potentially have to assess its viability, considering that it’s an $11 billion company now dealing with over $80 billion in class action suits and a loss of $6 billion in stocks. The company will likely be in litigation for years to come. Collectively, we are personally on notice re: privacy. We have already seen calls for increased regulation, and many experts believe that U.S. lawmakers will consider actions like the European Union’s General Data Protection Regulation (GDPR). Whether that happens or not, the lessons learned from the Equifax breach highlight the important of effective cybersecurity governance. It is never sufficient to meet a regulatory obligation, implement security tools, or implement policies, standards, processes, and controls without having a mechanism to measure their value to an enterprise as well as how well inherent risks are mitigated.
We believe that, sooner rather than later, corporate boards and enterprises at large will be setting new, higher expectations on cybersecurity and privacy, and will want to ensure that these expectations are fully met to reduce associated risks to a minimum. Governance offers the most realistic chance for corporate boards and enterprises to assure that set expectations are adequately fulfilled through a continuous tracking of progress toward goals, performance, and risk.
These two governance-related questions are perhaps a subset of the challenges that Equifax will face. They are meant to illustrate a simple point: that enterprises that experience security breaches must deal with issues that extend far beyond the primary loss, including their policies, operating standards, and decisions, which will all come under scrutiny. We believe that enterprises everywhere will learn from the Equifax experience and embed governance into their cybersecurity programs and provide reasonable assurance of the value creation, risk mitigation, effective use of resources and more in the protection of information and related assets.
Lessons Learned: Protecting Confidential Data Blog Series
Part 1: You Might Not Be as Secure as You Think
Part 2: The Value of Governance in Minimizing Cybersecurity Incidents
Part 3: How You Respond Can Make All the Difference